CVE-2022-39284

CVSS v3.1

2.6

Low

Vector

AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions CodeIgniter versions prior to 4.2.7

Description The issue arises when setting $secure or $httponly value to true in ConfigCookie is not reflected in set cookie() or Response::setCookie(), resulting in cookie values being erroneously exposed to scripts. This vulnerability does not affect session cookies.

Recommendations For versions prior to 4.2.7, upgrade to v4.2.7 or later. As a temporary workaround, consider specifying the options explicitly by setting 'secure' and 'httponly' to true in the cookie array. Alternatively, construct Cookie objects to ensure secure cookie handling. For example, specify the options explicitly:

$cookie = [
  'name'   => $name,
  'value'  => $value,
  'secure'  => true,
  'httponly' => true,
];
set cookie($cookie);
// or
$this->response->setCookie($cookie);

Or use Cookie object:

use CodeIgniterCookieCookie;

$cookie = new Cookie($name, $value);
set cookie($cookie);
// or
$this->response->setCookie($cookie);

Exploit

Fix

Incorrect Permission

Improper Initialization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732CWE-665

Related Identifiers

BIT-CODEIGNITER-2022-39284

CVE-2022-39284

GHSA-745P-R637-7VVP

Affected Products

Codeigniter

CVE-2022-39284

Weakness Enumeration

Related Identifiers

Affected Products

References · 15